Common HIPAA Compliance Pitfalls
Health Insurance Portability and Accountability Act (HIPAA), which pertains to safeguards and regulations for those handling medical records to protect personal data, is one of the well-known and common compliance requirements for data centers.
However, precautions and efforts notwithstanding, people continue to make elementary mistakes that would be considered as non-compliant. Here are the common HIPAA mistakes that data centers need to safeguard and those responsible for the data need to be aware of:
Data remaining in phased out drives and servers: HIPAA does not take kindly to data reaching unauthorized hands. When data centers fail to erase records from old or phased out servers, hard drives and other storage infrastructure, there is an outside chance of this information winding up with someone else later, if not immediately. These incidents do happen. For instance, in 2013, a company named Affinity Health Plan was fined as it failed to erase personal health information from the hard drives of photocopiers it had leased. Opt for data centers that have clear-cut disposal mechanisms and systems in place.
Conflict of Law: Compliance with the law, when there is a conflict between local laws of the place where data is stored and the laws of the place where the data emerges, has always been a problem area for cloud storage. With HIPAA, the issue is even more complex. Those handling Protected Health Information need to be aware of not just what HIPAA law says, but also their respective state laws. If the state laws are more strict or protective of Protected Health Information than what HIPAA itself stipulates, than state law takes precedence over HIPAA.
Security Breaches: Security breaches or cyber-attacks can happen. What is worrying is that hackers and phishers seem to have a developed a special liking for Medicare information data as of late, thanks to the lucrative prospects that this information offers. As such, HIPAA data is relatively more prone to attack than other data. Opt for data centers that undertake a comprehensive risk assessment and take adequate technical safeguards that minimize the chances of these types of breaches.
Rogue Insiders: Companies are always wary of rogue insiders, such as disgruntled employees who could steal data. When they outsource to cloud providers and their data centers, most of them remain oblivious to the fact that these cloud providers and data centers could also have rogue insiders who could steal the same data. With HIPAA, the liability on those responsible for the data does not go away, even if those responsible for the threat are not under their direct control or supervision. Always opt for a data center that has laid down precautions in place, such as physical locks on doors to server rooms, to thwart insider threats.
Let the compliance experts at Lifeline Data Centers help you solve your SSAE 16, TIA-942, NFPA, HIPAA, FIMSA, FDA, PCI/DSS and Sarbanes Oxley audit problems. We stay on top of compliance issues so you don’t have to.